No one needs to deduplicate over a longer period than a few minutes, or a single session. If you need that, then you're doing something shady. If a user visits your site, clicks a few things, leaves and comes back two hours later, you don't need know if it's the same person or not. The goal of analytics is to see how people in general use your website, not how an individual person use your website.

So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie. Hash it together. Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes). And yes, if the user changes browser preferences, then they will get a new hash, but who cares?

Not rocket science.

So take the IP, browser agent, your domain name and some other browser identifiers, stick them together and run them through SHA3-256, now you have a hash you can use for deduplication. You can even send this hash to a 3rd party service.

Or assign the user an anonymous session cookie that lasts an hour but contains nothing but a random GUID.

Or simply pipe your log output through a service that computes stats of accessed endpoints.

None of this requires a cookie banner.

Like the old adage goes. In the USA you have freedom for things. In Europe you have freedom from things.

We have plenty of tech companies. The reason you've not heard about them is because most of them cater to their domestic market first. Neighbors second. Rest of the world third or never.

They can't pass an act like that. USA would retaliate economically.